Re: NFS4 authentification / fsuid

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: J. Bruce Fields

Subject: Re: NFS4 authentification / fsuid

Date: Friday, September 7, 2007 - 8:34 am

On Fri, Sep 07, 2007 at 01:32:52AM +0200, Trond Myklebust wrote:
quoted text> Sorry. Of course, you have to copy the entire /lib, etc. onto the tmpfs,
> but you get the gist....
> 
> The point is that it is easy to subvert userspace if you have enough
> privileges. In the above example it may not be entirely undetectable,
> but who here is running a script on every login to check that / is
> indeed uncompromised?

I suppose this is the motivation for things like the "secure attention
key"?

But I'm most curious actually about to what degree the kernel itself is
vulnerable to root (without a reboot).  Is disabling /dev/kmem and
module-loading in theory enough?  (Modulo bugs like filesystems that
aren't secure against untrusted filesystems, etc.)

--b.
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

NFS4 authentification / fsuid, Jan Engelhardt, (Thu Aug 30, 7:12 am)

Re: NFS4 authentification / fsuid, Trond Myklebust, (Thu Aug 30, 7:29 am)

Re: NFS4 authentification / fsuid, Trond Myklebust, (Thu Aug 30, 7:32 am)

Re: NFS4 authentification / fsuid, Jan Engelhardt, (Thu Aug 30, 7:42 am)

Re: NFS4 authentification / fsuid, Trond Myklebust, (Thu Aug 30, 8:04 am)

Re: NFS4 authentification / fsuid, J. Bruce Fields, (Thu Aug 30, 8:12 am)

Re: NFS4 authentification / fsuid, J. Bruce Fields, (Thu Aug 30, 2:44 pm)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Thu Sep 6, 1:14 am)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Thu Sep 6, 1:29 am)

Re: NFS4 authentification / fsuid, J. Bruce Fields, (Thu Sep 6, 8:06 am)

Re: NFS4 authentification / fsuid, J. Bruce Fields, (Thu Sep 6, 8:11 am)

Re: NFS4 authentification / fsuid, Trond Myklebust, (Thu Sep 6, 4:21 pm)

Re: NFS4 authentification / fsuid, Kyle Moffett, (Thu Sep 6, 4:30 pm)

Re: NFS4 authentification / fsuid, Trond Myklebust, (Thu Sep 6, 4:32 pm)

Re: NFS4 authentification / fsuid, Trond Myklebust, (Thu Sep 6, 4:35 pm)

Re: NFS4 authentification / fsuid, Kyle Moffett, (Thu Sep 6, 5:56 pm)

Re: NFS4 authentification / fsuid, Trond Myklebust, (Thu Sep 6, 10:14 pm)

Re: NFS4 authentification / fsuid, Kyle Moffett, (Thu Sep 6, 10:47 pm)

Re: NFS4 authentification / fsuid, Bernd Eckenfels, (Thu Sep 6, 11:37 pm)

Re: NFS4 authentification / fsuid, J. Bruce Fields, (Fri Sep 7, 8:34 am)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Tue Sep 18, 4:12 pm)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Tue Sep 18, 4:27 pm)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Tue Sep 18, 4:44 pm)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Tue Sep 18, 4:48 pm)

Re: NFS4 authentification / fsuid, Kyle Moffett, (Tue Sep 18, 10:16 pm)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Wed Sep 19, 5:16 am)

Re: NFS4 authentification / fsuid, Kyle Moffett, (Wed Sep 19, 6:49 am)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Wed Sep 19, 7:12 am)

Re: NFS4 authentification / fsuid, J. Bruce Fields, (Wed Sep 19, 8:01 am)

Re: NFS4 authentification / fsuid, Valdis.Kletnieks, (Wed Sep 19, 9:38 am)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Thu Sep 20, 12:03 am)

Re: NFS4 authentification / fsuid, Satyam Sharma, (Thu Sep 20, 12:15 am)


linux-kernel:
Greg Kroah-Hartman	[PATCH 17/36] sysdev: detect multiple driver registrations
Greg Kroah-Hartman	[PATCH 22/36] PM: Make wakeup flags available whenever CONFIG_PM is set
Greg Kroah-Hartman	[PATCH 20/36] Driver core: Call device_pm_add() after bus_add_device() in device_a...
Rafael J. Wysocki	[Bug #16136] Linux 2.6.34 causes system lockup on Compaq Presario 2200 Laptop
Pekka Enberg	Re: BUG in free_block (tainted)
git:
Johannes Schindelin	Re: [PATCH 2/2] git-svn: support fetch with autocrlf on
Mark Burton	Re: [PATCH] builtin-branch: highlight current remote branches with an asterisk
Junio C Hamano	Re: [PATCH 6/6] Teach core object handling functions about gitlinks
Johannes Schindelin	Re: Trying to use git-filter-branch to compress history by removing large, obsolet...
Junio C Hamano	Re: git-svnimport
linux-netdev:
Daniel Schaffrath	Re: tcp bw in 2.6
Frans Pop	[PATCH] ipv4: make default for INET_LRO consistent with help text
Gerrit Renker	[PATCH 37/37] dccp: Debugging functions for feature negotiation
Patrick McHardy	Re: [PATCH RESEND 1/3] netfilter: xtables: inclusion of xt_condition
Daniel Lezcano	getsockopt(TCP_DEFER_ACCEPT) value change
openbsd-misc:
Conor	Re: RFID Reader
Josh Grosse	ssh/sshd challenge-response seems to have stopped working in -current
Pieter Verberne	File collision while using pkg_add
Stuart Henderson	Re: SquidGuard problem
Western Union	Online account has been suspended
git-commits-head:
Linux Kernel Mailing List	ath9k_htc: Allocate URBs properly
Linux Kernel Mailing List	ath9k: Added get_survey callback in order to get channel noise
Linux Kernel Mailing List	ALSA: snd-usb-caiaq: Do not expose hardware input mode 0 of A4DJ
Linux Kernel Mailing List	V4L/DVB (9041): Add support YUAN High-Tech STK7700D (1164:1f08)
Linux Kernel Mailing List	cpumask: make irq_set_affinity() take a const struct cpumask